What is AI governance?

AI governance is how a company sets rules for using AI safely and legally. In practice that means an AI usage policy, a register of which AI tools are approved, and a way to show staff have read the rules. It is how you avoid shadow AI, where employees use unapproved tools that may train on or leak your data.

Do small companies need an AI usage policy?

Yes. The moment anyone on your team uses ChatGPT, Copilot or similar for work, you have AI risk: confidential data can leak into tools that train on it. A short AI usage policy plus an approved-tools list is the cheapest, fastest control, and it is now expected by SOC 2 auditors and the EU AI Act's AI-literacy duty.

Is ModelCharter free?

The AI usage policy generator and the full AI Tool Risk Directory are free forever, with no login. Paid Team and Business plans add a shared tool register, versioned policy, employee attestation tracking and exportable compliance reports.

How accurate is the AI Tool Risk Directory?

Every fact is compiled from the vendor's own privacy policy, DPA and trust centre, with source links. Anything we could not confirm is shown as Unverified rather than guessed, so always check the linked source before relying on a fact.

For teams without a compliance department

Give your team an AI charter.

Your team already runs on ChatGPT, Copilot and a dozen other AI tools. ModelCharter shows you which ones are safe, writes the policy that covers them, and keeps a record that everyone has read it. No compliance hire required.

Generate your free policy Explore the tool directory

No signup, no card. 22 AI tools rated from their own privacy policies.

modelcharter.com / register

AI tool register

3 approved · 2 in review · 1 restricted

Live

Tap a tool to set its status

Policy v3 adopted

Acknowledged by 23 of 25

AI tools rated

70+

facts sourced from vendor policies

frameworks mapped

to generate your first policy

How it works

Three steps from shadow AI to under control.

No consultants, no six-week rollout. Each piece works on its own, and they add up to the evidence an auditor or a customer will ask you for.

Step 01 · Write

A real AI usage policy, tailored to you

Answer a few plain questions about your team, your data and the rules you follow. You get a policy you can adopt today, built around the EU AI Act, NIST AI RMF, ISO 42001 and SOC 2. Edit it, download it, or save versions to your workspace.

Open the generator

ModelCharter · AI usage policy

Northwind Labs AI Usage Policy

1. 1. Purpose & scope

2. 2. Our approach to AI

3. 3. Approved tools

4. 4. What you may and may not put into AI tools

Acknowledged by 23 of 25Export PDF

Step 02 · Vet

Know which AI tools are safe for work

Look up how popular AI tools actually treat your data: whether they train on it, how long they keep it, and which certifications they hold. Every fact is sourced from the vendor's own policies, and every risk score shows its working.

Browse the directory

ModelCharter · AI Tool Risk Directory

High risk

ChatGPTLow risk · 14

ClaudeLow risk · 20

GitHub CopilotMedium risk · 25

Step 03 · Prove

Show that everyone has read the rules

Share one link and watch acknowledgements come in. You get a dated record of who agreed to the policy and when, which is the proof auditors and customers look for when they ask how you govern AI.

See team plans

ModelCharter · Attestations

Who has read the policy

92%

AMEngineeringSigned
JSDesignSigned
RTCustomer successSigned
KPMarketingPending

AI Tool Risk Directory

Is that AI tool safe for work?

A sample of the directory, rated for default at-work use. Open any tool to see the data-handling facts and where each one came from.

View all 22 tools →

ChatGPTLow risk · 14

OpenAI · assistant

Consumer/free ChatGPT uses your chats for training unless you proactively disable it, so staff pasting work data into personal accounts can leak it into model improvement.

ClaudeLow risk · 20

Anthropic · assistant

Even when a consumer opts out of training, conversations flagged for safety review can still be retained up to two years and used to improve models without notifying the user.

GitHub CopilotMedium risk · 25

GitHub (Microsoft) · coding

On individual (free/Pro) plans, code snippets can be retained and used for model improvement unless opted out, so developers on personal accounts may expose proprietary code.

Otter.aiMedium risk · 34

Otter.ai, Inc. · meetings

Otter trains its own models on de-identified user content by default and its meeting assistant can auto-join calendar meetings, raising consent and surveillance concerns (it is the subject of a wiretap/consent class action).

MidjourneyHigh risk · 97

Midjourney, Inc. · image

All prompts and generated images are public by default and licensed for model training, and Stealth Mode (Pro/Mega only) merely hides outputs from the public gallery without exempting them from training, so confidential work-related content should not be used.

Notion AILow risk · 6

Notion Labs, Inc. · productivity

Some AI features can optionally enable data-retaining LLMs via workspace settings, so an admin must confirm the workspace stays on zero/short-retention configurations.

AI governance was built for the Fortune 500. We built it for everyone else.

The enterprise platforms are capable, but they are sold through sales teams, priced for big budgets, and aimed at companies that already have a compliance function. Most teams do not. ModelCharter gives you the parts that actually matter, today.

Enterprise governance suites

Book a demo, annual contracts
Built for dedicated compliance teams
Weeks to onboard
Five-figure starting price

ModelCharter

Self-serve and free to start
Built for teams with no compliance hire
A usable policy in one sitting
$49/mo when you need the team features

Built around the frameworks you are measured on

EU AI Act

European Union

NIST AI RMF

U.S. National Institute of Standards and Technology

ISO 42001

International Organization for Standardization

SOC 2

American Institute of Certified Public Accountants (AICPA)

FAQ

Questions, answered.

Still unsure? Get in touch.

What is AI governance?: AI governance is how a company sets rules for using AI safely and legally. In practice that means an AI usage policy, a register of which AI tools are approved, and a way to show staff have read the rules. It is how you avoid shadow AI, where employees use unapproved tools that may train on or leak your data.
Do small companies need an AI usage policy?: Yes. The moment anyone on your team uses ChatGPT, Copilot or similar for work, you have AI risk: confidential data can leak into tools that train on it. A short AI usage policy plus an approved-tools list is the cheapest, fastest control, and it is now expected by SOC 2 auditors and the EU AI Act's AI-literacy duty.
Is ModelCharter free?: The AI usage policy generator and the full AI Tool Risk Directory are free forever, with no login. Paid Team and Business plans add a shared tool register, versioned policy, employee attestation tracking and exportable compliance reports.
How accurate is the AI Tool Risk Directory?: Every fact is compiled from the vendor's own privacy policy, DPA and trust centre, with source links. Anything we could not confirm is shown as Unverified rather than guessed, so always check the linked source before relying on a fact.

Get your AI usage policy today.

Free, no signup. Then see which of your tools are safe to use, and bring the whole team along.

Start now